The Problem

Controlling Outbound VPC Traffic

An important security measure for your VPCs is to effectively control outbound network traffic (egress), delineating legitimate from illegitimate requests. If internal users or cloud instances are compromised, they can pose a significant threat if attackers are able to exfiltrate data. Many compliance frameworks like PCI DSS and HIPPA require egress security controls.That said, there are many reasons why cloud users or instances within VPCs need Internet access.

The reasons range from getting basic software updates from Microsoft, Google or Ubuntu, to needing application access to another third party or SaaS service over the Internet. If you have more than a handful of VPCs, management of whitelists on a per-VPC basis can become a major source of pain. Also, it can be cost prohibitive to deploy next generation firewall solutions per VPC. What’s needed is centrally managed, scalable, cost-effective solution.

Squid jerky is too tough to chew.

—Charlie, Cloud Ops

Open source project Squid is just hard to manage and limited for cloud VPCs:

Manual admin of policies, per VPC

Tedious config of each new instance to use Squid, new instances can appear without reconfig’ing Squid = big security risk

The Aviatrix Solution

VPC Egress Security

The Aviatrix solution provides inline AVX Gateways with egress firewall functions in each VPC with centralized management of policies in the AVX Controller. It blocks all outbound internet traffic except specific whitelisted domain names (FQDN). This solution directs the outbound traffic through the AVX filtering and monitoring instance on a per VPC basis. The inline Gateways are highly available, designed to leverage Availability Zones (AZs) and automatic failover.

The Controller provides CloudOps teams with centralized policy management, from the ability to tag VPCs and assign policies to tags. The Controller also provides centralized audit logs. Finally, using AVX Cloud Formation Templates, CloudOps teams can automate the deployment of VPC egress security with new VPCs. This is a cost-effective solution, priced at a fraction of other popular solutions.

Centrally Managed Security for AWS

Cloud Native Design

Reduces AWS Costs

Centralized Management Console

Click and done. With AVX point-and-click interface, configuring and monitoring of all policies and traffic can be administered centrally by both engineers and non-engineers.

FQDN Discovery

Discover what Internet sites your apps visit before you configure.

Security Policy Tagging

Create tags for different policies like “dev” and “prod.” Apply those tags to VPCs.

Easily Audit Security Events

Everything is logged – including the packets. View in AVX or export logs to Splunk, Sumologic, Datadog and other tools to standardize reporting and event correlation.

Learn More

What is VPC Egress Filtering & Security?

When businesses consider their network traffic security measures for AWS VPCs, they need to ensure that outbound network traffic is recognized alongside inbound network traffic. Egress is the outbound network traffic that originates from internally networked instances in your AWS VPC to another network. In the case of servers and VPCs, this is generally internet bound egress.

It is important that outbound network traffic is effectively controlled, characterizing allowed requests from prohibited requests. If internal users or cloud instances in VPCs are compromised, they can pose a significant threat if attackers are able to exfiltrate data or use your outbound network traffic for their malicious activities. Learn more about VPC Egress Filtering.